LAB 1 Basic ASA Configuration
Initial Configuring of ASA is similar as Router where you use a rollover
cable to connect console of ASA to com port PC. Command Line Interface (CLI)
here is little different from IOS Router but the modes are similar as on
Router, We have an Unprivileged Mode
“>” This is the most basic level of access to the Cisco Device, the
first mode in which you can issue very few commands. To configure your ASA you
need to get in to Privileged Mode “#”.
Task-1 Getting Started With
ASA
When we
boot up the device we get into unprivileged mode from where we can view the
details of ASA, its supporting features, available interfaces and its Licensing
etc...
ciscoasa>
show version
Cisco ASA
Security Appliance Software Version 8.0(4) IOS Version of ASA
ciscoasa up
33 mins 30 secs Uptime of device
Hardware: PIX-525, 256 MB RAM, CPU Pentium II 1 MHz
Flash
E28F128J3 @ 0xfff00000, 16 MB Hardware Configurations
BIOS Flash
AM29F400B @ 0xfffd8000, 32KB
Licensed features for this
platform:
Maximum
Physical Interfaces : 10
Maximum
VLANs : 100
Inside
Hosts :
Unlimited
Failover : Active/Active
VPN-DES :
Enabled
VPN-3DES-AES : Enabled License Details
Cut-through
Proxy : Enabled
Guards : Enabled
URL
Filtering :
Enabled
Security
Contexts : 2
GTP/GPRS : Disabled
VPN
Peers :
Unlimited
This
platform has an Unrestricted (UR) license.
Serial
Number: 403340212
Running
Activation Key: 0x497acdef 0x39ef68ac 0x36d54110 0x2f9868d7
Configuration
has not been modified since last system restart.
From
unprivileged mode we can issue few more commands like ping, traceroute and
login etc.… but to make any changes on the device or to configure device we
need to get into privileged mode of that device. From Unprivileged mode issue enable
command to get into privileged mode
ciscoasa>
enable
Password: The default password on ASA is Blank <null> hit Enter when
prompted
ciscoasa#
When
you are in privileged mode now you can start configuring your device, When you
are in privileged mode of ASA you can issue all the commands to device, to make
some configuration on device you need to get into configure mode, you can get
into configure mode by issuing configure
terminal command in privileged mode
ciscoasa# configure terminal
ciscoasa(config)#
enable password cisco123 Configuring Enable Password
ASA(config)#
In
the description of show version command you can view the licensing details of
the device which exhibits the capabilities of device functioning. ASA comes
with two different licenses
·
Base License
·
Security plus License
By default ASA comes with Base
License where few functions of ASA will be restricted or locked. To use those
functions we need to get an Activation Key from Cisco and Install it on Device.
ASA(config)#
activation-key 0x00000000 0x00000000 0x00000000 0x00000000
The following features available in
flash activation key are NOT
available in new activation key:
Failover is different.
flash activation key: Restricted(R)
new activation key: Unrestricted(UR)
Proceed with update flash activation
key? [confirm] Press Enter
WARNING: The running activation key
was not updated with the requested key.
The flash activation key was updated
with the requested key, and will become active after the next reload.
Task-2 Configuring Interfaces as per following Credentials
Interface
|
Ip Address
|
Name
|
Security Level
|
Ethernet 0
|
192.168.1.1
|
Outside
|
0
|
Ethernet 1
|
10.0.1.1
|
Inside
|
100
|
Ethernet 2
|
172.16.0.1
|
DMZ
|
50
|
Simply like a router Interface
configuration in ASA is done from interface mode only.
ASA(config)#
interface ethernet 0
ASA(config-if)#
ip address 192.168.1.1 255.0.0.0
ASA(config-if)#
no shutdown
ASA(config-if)#
interface ethernet 1
ASA(config-if)#
ip address 10.0.1.1 255.0.0.0
ASA(config-if)#
no shutdown
ASA(config-if)#
interface ethernet 2
ASA(config-if)#
ip address 172.16.0.1
ASA(config-if)#
no shutdown
But apart from
configuring ip address in ASA we even have to configure Two more credentials
i.e. Name of interface and Trustiness of interface (Security Level). Where Name
of the interface is the any logical name (Like Inside, Outside, Private any
name) given to the interface and throughout configuration the interface will be
called with that name not by their Physical names (Ethernet 0 or 1), Assigning
name to interface is mandatory. Even if you assign ip address until and unless
you configure name to it our interface will not function.
And
security level is the value which defines the trustiness of an interface. The
interface with high security level value can communicate with low security
value interfaces but low valued interface can’t initiate communication for high
valued interfaces by default.
ASA(config-if)#
interface ethernet 0
ASA(config-if)#
nameif outside
INFO:
Security level for "DMZ" set to 0 by default.
ASA(config-if)#
security-level 0
ASA(config-if)# interface ethernet
1
ASA(config-if)#
nameif inside
INFO:
Security level for "inside" set to 100 by default.
ASA(config-if)#
interface ethernet 2
ASA(config-if)#
nameif DMZ
INFO:
Security level for "DMZ" set to 0 by default.
ASA(config-if)#
security-level 50
Verification
ASA#
show running-config ip
!
interface
Ethernet0
nameif outside
security-level 0
ip address 192.168.1.1 255.0.0.0
!
interface
Ethernet1
nameif inside
security-level 100
ip address 10.0.1.1 255.0.0.0
!
interface
Ethernet2
nameif DMZ
security-level 50
ip address 172.16.0.1 255.255.0.0
!
ASA#
